www.ncbi.nlm.nih.gov / pubmed

[Dave Sparro]

On 8/18/2010 8:30 AM, Phil Mayers wrote:
> On 18/08/10 13:15, Lightner, Jeff wrote:
>> It comes right up in Firefox but prompts for a username and password.
>
> Do you have DNSSEC validation enabled? Because as per my email, it's a
> DNSSEC problem.
>
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be an
> NSEC/NSEC3 record to prove the absence of the DS record, and have a
> secure delegation to an unsigned child zone.


It sounds to me like DNSSEC validation is working as designed.  If your 
DNS server's users are complaining about not being able to resolve 
something that fails validation, the question you need to ask is do your 
end-users really want you to do DNSSEC validation for them?

If you're asking for a workaround for when validation fails, there's not 
much point to doing the validation.

-- 
Dave